Community discussions

MikroTik App
 
rcocchiararo
newbie
Topic Author
Posts: 41
Joined: Sat Dec 12, 2015 8:59 pm

CHR on azure for wireguard

Thu Mar 03, 2022 12:11 pm

Hi there

I've been using Mikrotik for personal stuff for ages, and recently learned about Wireguard after the V7 upgrade

I help an ONG (got them an azure sponsorship), and since they can't get a public IP (ISP gives them a fake public IP behind double Nat), I thought about setting up a VM to be their Wireguard "core".

I could go Linux, but I like Mikrotik and made a CHR instance.

The VM has only one physical (well, virtual) interface.

Should I add another in a different network to use as WAN and the current one (same as the sole azure VM they use) be left as LAN?

I am accustomed to mikrotiks with 5 interfaces (1 as WAN, 4 in bridge) for home/small office use (no plans).

Here, I would only use the CHR for wireguard (office/guardpost/road warriors would connect to it, gaining access to the azure VM AND the office network).

My idea is/was to only expose the WG port and allow CHR management either from WG or the azure VM (which would share LAN with the CHR).

Do I need a WAN interface and "normal" firewall settings in this case? (CHR would be behind Azure's firewall)
 
FurfangosFrigyes
newbie
Posts: 43
Joined: Sun Feb 25, 2018 11:45 am

Re: CHR on azure for wireguard

Thu Mar 03, 2022 12:31 pm

I have a CHR in Azure and it has only one interface with a public IP. I added a Network Security Group to the Mikrotik NIC and opened only the necessary port for the VPN connection. It is not problem to have only one NIC because i can configure the firewall on the CHR using the source IP address. I created an address list with the local addresses and all other IP's/connections considered as "come from WAN".
 
rcocchiararo
newbie
Topic Author
Posts: 41
Joined: Sat Dec 12, 2015 8:59 pm

Re: CHR on azure for wireguard

Sun Mar 06, 2022 1:18 am

My azure interface had only the option of using the 10.0.1.0/24 ip range.

I added 10.1.0.0/24 too.

Then i added a 2nd interface to the CHR VM:

ethernet1: 10.1.0.0/24 address range and public ip
ethernet2: 10.0.0.0/24 address range and no public ip

The CHR can ping my azure vm that shares the 10.0.0.0/24 address space.

I then enabled the tipical rules i use, LAN/WAN interface lists (WG and ethernet2 are LAN, ethernet 1 is WAN) allowed external access to wireguard ip, and configured wireguard as i already know (i used 10.0.9.0/24 for wireguard.

I can connect to the CHR but i fail to reach the other azure vm:

This is my 5th WG setup, i was previously able to:

1) Get road warrior access to the WG adderss of my mikrotik and my local lan
2) Same as before with the ONGs office
3) site2site between my mikrotik and the offcie (that requieres some manual route creation for the local lans of each site to reach it other)
4) Road warrior access to the azure VM

Now, i want to get read warrior/site2site to the CHR, and then have access to both azure and any other local lan i might Join (this is needed for each place that has no true public IP).

Everything i tried failed (i even set rules for allowing traffic between WG and ethernet2 address range (normally not needed with the default rules), with no luck (i saw packets in one direction, not the other).

I will now try again with only one interface, i came here in case someone might know what my issue is.
 
rcocchiararo
newbie
Topic Author
Posts: 41
Joined: Sat Dec 12, 2015 8:59 pm

Re: CHR on azure for wireguard

Sun Mar 06, 2022 1:27 am

maybe worth mentioning, the CHR is unable to get the cloud DDNS function going (i got a demo license), public address/dns name remains blank.

I tried a script for getting the public ip:

{
/tool fetch url="http://myip.dnsomatic.com/" mode=http dst-path=mypublicip.txt
local ip [file get mypublicip.txt contents ]
put $ip
}

And i get a one different than the one displayed on azure.
 
FurfangosFrigyes
newbie
Posts: 43
Joined: Sun Feb 25, 2018 11:45 am

Re: CHR on azure for wireguard

Sun Mar 06, 2022 9:22 am

Did you enable the IP Forwarding on the Mikrotik CHR VM NIC?
IP Forward.png
You do not have the required permissions to view the files attached to this post.
 
rcocchiararo
newbie
Topic Author
Posts: 41
Joined: Sat Dec 12, 2015 8:59 pm

Re: CHR on azure for wireguard

Sun Mar 06, 2022 1:44 pm

Did you enable the IP Forwarding on the Mikrotik CHR VM NIC?

IP Forward.png
I didn't know about that before

After I kept failing I googled some more and enabled that, still did not work, so I rebooted the VM and went to sleep.

Will test more today.
 
FurfangosFrigyes
newbie
Posts: 43
Joined: Sun Feb 25, 2018 11:45 am

Re: CHR on azure for wireguard

Sun Mar 06, 2022 1:50 pm

Did you enable the IP Forwarding on the Mikrotik CHR VM NIC?

IP Forward.png
I didn't know about that before

After I kept failing I googled some more and enabled that, still did not work, so I rebooted the VM and went to sleep.

Will test more today.
You need to add a route table to that subnet in Azure and add custom routes. The route type must be virtual appliance and the gateway is the Mikrotik private IP address from the subnet!
route_wireguard.png
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 16 guests